A little more than three weeks after announcing it had added role management
to its identity management offerings, CA has unveiled several
products focused around that issue as well as the bigger one of governance,
risk and compliance (GRC).
Here’s why: The easiest compliance breach to spot, and the one that occurs
most frequently, is when users either retain access rights they shouldn’t have
or were given those rights by mistake.
Correcting that is simple in theory: Identify the users, figure out what
access rights they should have according to their roles in the organization and
ensure they only have those rights.
Add process and policy management, and automation to the mix, and you
should, in theory, have a pretty secure organization with minimum danger of
CA added role management
to its offerings May 14, when it agreed to resell Eurekify’s Enterprise Role
It has now unveiled three identity and access management products: CA
Identity Manager, CA Access Control and Security Compliance Manager.
“These are three of many products around identity and access management, and
all have compliance features built in so you have basic controls in place,”
Lina Liberti, CA’s vice president of security management, told
“Here in the United States people are just trying to get to creating a
repeatable, sustainable process to get the cost out of compliance.”
The tools will automate what basically is a manual process, where companies
ensure users only have the access appropriate to their jobs and their managers
certify they have that access.
Together with the other five tools, they will “help enterprises improve
compliance initiatives or lower costs by automating compliance management,
creating online workflow and tying in to remediation,” Liberti said.
Identity is key for IT GRC because “access control is one of the primary
foci for IT governance,” Scott Crawford, Enterprise Management Associates’
research director, told InternetNews.com.
“Correlating individuals’ roles to their jobs has become more of an issue in
the enterprise over the past couple of years, and auditors pick on this because
they can get to it very quickly,” Crawford said.
One auditor told him that “43 percent of the staff in a 5,000-person
business has overbroad entitlements or entitlements that should have been
retired,” Crawford added.
The problem is partially one of nomenclature. “A lot of enterprises have
deep, detailed IT entitlements and
face the challenge of rolling them up and giving them a role name recognized by
the business side,” Mark McClain, CEO and founder of SailPoint Technologies
told InternetNews.com. SailPoint is a player across the spectrum of
Once that’s done, the roles can be used in compliance management.
The next wave of GRC products “will be in the identity GRC space — how to
do GRC around all this identity you have in the enterprise,” McClain said.
In the past few years, access control efforts have focused on provisioning
or providing users with a corporate identity and ancillary services, rather
than deprovisioning, and “role management like Eurekify is where we see a lot
of motion around this,” Crawford said.
In terms of its GRC products, CA is behind the pure IT GRC players such as
Agiliance and Archer that “have already been carving out leadership in this
space for two to three years,” but not doing too badly compared to other major
players, who “have not focused so much on IT GRC,” Crawford said.
He listed CA’s competitors in this space as primarily Symantec (NASDAQ:
SYMC), with its 2005 acquisition of BindView, which
provides agentless IT security compliance software, and IBM, which
“has a very broad portfolio they can position around IT governance, risk and
The issue with GRC is that it’s “a combination of management in multiple
domains on the one hand, and process in terms of tying things together in
coherent fashion on the other,” Crawford said. He expects CA “to make a
Article courtesy of